WIXLIB

Access Control MethodologiesThere are a handful of models when it comes to the way that permissions work, andthe structures for those differ in a handful of key ways. A full description of how thesework can be found on another article at The InfoSec Institute located here. The stylethat most people will run into on a regular basis is based off of Role Based AccessControl: If you start working at an organization with a particular title, there will be adefault set of permissions associated with that particular title. Many timesadministrators will be given an existing person as an example and told "Give themeverything this person has". While that can be great for a start, if the example has hadtheir permissions modified to allow access to areas that they specifically need access to–not everybody with that title, for instance –then that can cause potential issues withgranting permissions beyond what that new hire needs to perform their duties.Administer Permissions in Various EnvironmentsNot every system is able to use the same kinds of permissions. While it would be greatto use Active Directory permissions across the board, not every system ties into adomain structure. If you are using a Linux box for a file server, you need to understandthat type of structure. If you only want certain people to be allowed to use USBdevices in your environment, you need to understand how to make that happen. If youwant particular people to be able to VPN into your network from outside, you will needto be able to understand how that would be done.Permissions cover a wide variety of issues in an organization, and despite being veryfamiliar with a particular set of permissions, it is always possible that you may need toadapt to a new setup quickly. Understanding the core concepts behind permissions ingeneral allows recognize where you can use the same styles of administration, andnecessarily need to re-invent the wheel.Prepare for Permission Escalation-Type AttacksPermission Escalation can take two different forms: Being granted permissionsnormally assigned to different or higher level users, or being granted permissionsnormally associated with a different level of the operating system. For example: If amalicious user broke into your environment with a set of compromised credentials, theywould first have the permissions of that particular user. If they were able to thencompromise another user of the same department, they could potentially gain access tomore data. However, if they move to either the manager of that department, or toanother user in a different department, they would gain access to a huge amount ofnew information, and so on. On the other hand, if when they broke into theenvironment using that compromised user's credentials they decided that they wantedto move from a standard user to an admin-level user, they would need to use exploits

on the system or on the network to gain that access. There are a lot of different waysto accomplish both these tasks, so having your users trained to guard their credentialsand use best practices on your privileged accounts is strongly encouraged.Protecting Data at RestData at rest is stored data –whether on a hard disk, tape, optical media, or otherstorage device. Protecting this can take many forms: encryption, safes, lockedcabinets, the list goes on and on. Knowing what is available for particular options, andhow that will impact the performance when users try to access that data is critical tochoosing the best option for your environment.Protecting Data in TransitData in Transit is data going across the wire, whether that is via a web server, email,instant messaging, etc. Replacing legacy protocols such as FTP with newer strongerprotocols can go a long way to helping to secure data in transit, but not always. Theuse of an encrypted point to point connection such as VPN can help protect data fromprying eyes, but again the exact method used will vary depending on yourrequirements.Protecting Assets is the reason why security exists in the first place: whether guardinga file cabinet or a person, it is security's job to make sure that no harm comes to whatis being protected. How much security is needed to protect a specific target? What arethe most likely attacks to come after that target? Who might know where those attacksare coming from? Is there a new exploit that we need to be on guard against? Arethere any annoyed users that may be susceptible to being bought? Are there higherranking officials that are set in their ways and do not feel the need to protectthemselves or their credentials? These are all things that need to be taken intoconsideration when trying to manage assets, along with a hundred more concerns.

Domain Three: Security EngineeringSoftware Development SecurityWhen custom programs and solutions are being developed, there are a lot of potentialproblem areas: Is the IDE secure? Are there any problems in the language that couldbe exploited easily? Are there holes in the code put there by a previous programmer?Was the program developed to separate hard-coded credentials from the standardprogram?

When developing code that will be used by a large group–whether consumers,companies or other organizations –it is important to be able to not only create securecode but that it is proven as such. Therefore, early on in the design cycle, it isimportant to know what weaknesses have been encountered before by past auditors sothat history does not repeat itself. Not only will this create a more secure product, butit will reduce time to market –resulting in happier end users.CryptographyCryptography is an excellent tool, but only when it is implementedeffectively. Headlines have been made consistently over the past several yearsregarding solutions that either were not implemented according to best practices, waysthat were discovered to get around roadblocks, or just that the protections were bruteforced into obsolescence. Knowing the requirements of your solution or objective willhelp to know what you need to be certain is working correctly: Do you need to secureinformation from prying eyes at all costs? Do you need to be certain that data is notmodified in transit? Or is it enough to be able to prove that the data was sent from aparticular source?It is also important to know your responsibilities to your users that you are not puttinga hole into their environment. It's one thing to provide a solution to a problem they arehaving, but introducing a new attack vector along with it is an entirely different matter.Physical (Environmental Security)Did you know that balls and pillars in front of shops are there for security and safetyreasons more often than for styling? Did you also know that just introducing grass andshrubs can help redirect foot traffic to a predictable trail? What would be moreeffective in your environment: patrolling guards, or a fleet of cameras and facialrecognition?Knowing where people are going to be, and using passive methods to reduce securityrequirements, can help a great deal – regardless if you are on a budget or not.Reducing entry points to a single point of contact can help drastically improve youroverall standing, but even if there is only one way in on the ground floor there areusually other ways in when there are issues with HVAC systems. In controlledenvironments, predictable heating and cooling are as vital and electricity and water.While it might be silly to think about, the larger or older the building you are in, themore likely you are to run into a 'Die Hard' scenario: someone able to infiltrate thebuilding and use the HVAC system as a way to get around undetected.Security Architecture & Design

Just because you are building a system from scratch doesn't mean you have to reinventthe entire idea of security. There are dozens of well known, tried and tested securitymodels that can be reviewed and adjusted as needed based on your requirements. Thetricky part is being able to see what is more effective before you spend a small fortuneon implementing a solution, only to find out that it doesn't scale well and you need tofind a new option. Once you have your solution stable and in place, it is important tobe able to test it regularly – finding out where your weak spots are, seeing what kindsof countermeasures need to be put in place to eliminate threats, and train your securityofficers –whether information security or physical security –to be ready to handle theproblems that will come up.Security Engineering is about more than just crafting a secure environment. It's aboutthe entire idea of security permeating everything that the organization does –from dayto day operations, to project management and auditing, to controlling thethermostat. The basic cycle of Idea, Design, Implement, Maintain covers nearly everyproject you could ever run into, and as with all projects that involve Engineering, theearlier a problem is identified and fixed, the less it is going to cost the organization.Spend the time needed to brainstorm options. Find out what different vendors have tooffer when you are looking at home built versus market standard grade products.Discover if it would be more efficient to bring in a third party to help set up when youare going live with a project. Finally, conduct a review as to whether or not it wouldmake sense if you are going with a premade solution if it would reduce costs to bite thebullet up front with most costs, rather than a more expensive maintenance contract. Orperhaps your people could be trained to deal with every issue they could come across ina particular situation –that is what this domain is all about: finding out what is best forthe organization, in a given environment, with a specified budget.

Domain Four: Communications and Network SecurityAlmost more than any other domain in the update, this domain lines up very well withits predecessor –the two cover the same basic footprint, however the new domaincovers newer technologies and methodologies than the previous one.Network Infrastructure ConceptsBefore someone can try to secure a network, they need to understand the basics ofwhat makes a network function. Without being able to wrap your head around thetheory of how a document would go from halfway around the world to your

workstation, it would be very difficult to be able to secure the path that it takes to getfrom point to point.OSI and TCP/IP ModelsImages provided by Wikipedia

The OSI model is considered by many to be the cornerstone on which all networkingand user interaction theory sits.It is a type of framework that is relatively easy tounderstand, and it's possible to classify most elements to a particular primarylayer. The problem with this structure is that in reality, it's ignored most of thetime. The model that most directly lines up with what is actually used on a day to daybasis is the TCP/IP Model. The models themselves are very similar, both in terminologyand functionality, but critically the TCP/IP model does not directly address the physicalhardware that the OSI model addresses.Hardening Network HardwareTo many, the difficult part in building a network is getting everything to talk to eachother and function correctly. From the security point of view however, this is justgetting started. Most devices still ship in a configuration that allows for widest possibleusage, which from a setup point of view is great, but not as far as security goes. The'secure by default' idea has been progressing well – many consumer-grade accesspoints that are provided by ISPs for instance now come with WPA2 enabled and arandomized password.Secure Communications ChannelsIt's no secret that there are a lot of ways that we communicate on a daily basis that canbe tracked. There are situations however where this is not only dangerous, but cancause tremendous problems for the organization –whether through locating userlocations, or disseminating information that is gleaned from the conversation. Thismeans that secure communications must be enabled and configured correctly, andinsecure methods need to be blocked. For example, say that your company only wantsusers to use their in-house developed instant messenger client. To enforce this, otherclients would then need to be blocked, so that users don't revert back to using softwarethat they may be more comfortable with.Network Attacks and Mitigation"Know your enemy and know yourself, find naught in fear for 100 battles. Knowyourself but not your enemy, find level of loss and victory. Know thy enemy but notyourself, wallow in defeat every time." Cyberattacks are coming more often than ever,and it is extremely important to know your organization's defenses and weakpoints, aswell as what attacks and vectors are used in your local area and business type. Beingable to detect attacks, deal with them, and having staff trained to manage all sides ofthe situation is incredibly important, as well as knowing what the new attacks are thatseem to be coming on a daily basis now.

Endpoint SecurityThe 'Endpoint' –the level at which primary defenses need to be active – keepsmoving. Being able to have strong security on individual nodes –regardless of whetherthat is a workstation, a mobile or a server –is more important than ever. Making surethat your solutions work together in a cohesive mesh rather than fight against eachother is absolutely vital, or else you could see a situation where you're having todeliberately break your security just to try to get things to talk to each other. I'm notsaying that this doesn't happen, and in some cases it is required, but it should be anabsolute last resort –something that happens no more than once in a blue moon.Remote AccessThe Mobile Office has been here for quite some time, and as a result, trying to create asolid wall to protect the network becomes difficult. Holes need to be drilled through thebarrier, to allow services and devices to connect reliably from both individual users aswell as other corporate locations and partners. This means being able to create secureconnections regardless of whether the person is at their desk or at their vacation housein Wyoming. There are many different methods of remote access, and if the ITdepartment does not create a secure option for this, users may find their own optionsand open up an unknown threat into the network.Network Access Control DevicesNetwork Access Control is a friend of the admin –something that can help keep visitorsfrom just plugging into any port they can find and going to town on thenetwork.Sticky ports, dedicated appliances, VPN's, single sign-on, proxy servers, thelist of options available to help secure connections is huge. The nice part about thesemethods is that most are capable of working together with each other, so that you donot necessarily need to trust only one method. Do you want to keep ports locked atuser desks but open in a conference room? Add in Single-Sign on as well.Users don'tlike jumping through hoops, but if you create something that is mostly invisible andadds functionality rather than putting roadblocks in their path, they are going to wantto use it.

Domain Five: Identity and Access ManagementControlsThere are three basic categories of software that help to control what users can do withaccess: Preventive, Detective and Corrective. Preventive blocks users from performingcertain actions, and is implemented through methods such as DRM. Detective Controlspick up on actions going on either on individual systems or across the network and actaccordingly. An example of this type of control would be something like a NetworkIntrusion Detection System. Corrective controls are the fail-safe software, such as yourautomatic backups, that help restore order when things go wrong.

Access Control TechniquesThere are a number of different types of access control, and each of them uses aslightly different style of controlling the way that users gain access to data.Discretionary Access Control –where users have access to grant each other permissiondirectly, such as in an ad-hoc network.Mandatory Access Control – where every user is granted permissions specifically from acentral source.Role Based Access Control – where users are given roles and assigned to groups, thengranted permissions according to their job functions.Vulnerability analysisAccess Control only works when users can't just get around it, or more appropriately, itis easier to use the authorized method than it is the unauthorized one. In order to keepthis balance in order, it is necessary to perform a vulnerability analysis to check wherethe weak spots in your authentication style are. Do you regularly grant users morepermissions than they need to complete their task? Is there a known exploit in theversion of Kerberos that your Operations System uses? Can users just boot up a liveLinux distro and bypass the authentication entirely?Threat ModelingWhen performing the vulnerability analysis, it will be necessary to take a look at whatyou are currently using to authenticate, and see what potential attack vectors cancome. This means knowing your environment and knowing what is out there, so youcan correctly profile what you are likely to come across. For example, if there is aknown issue in the neighborhood where false delivery people come in and steal fromnearby organizations, you would want to increase your user training on unauthorizedvisitors. Likewise, if there is a common attack against your business type right now, itwould be good to increase security against that type of situation.Provisioning LifecycleUsers, servers and software come and go. When this happens, you need to understandhow to grant and remove permissions as needed. For instance, when software thatconnects out to a 3rd party server is no longer needed, then the software needs to beuninstalled and its associated service account disabled so that that vector is no longeravailable to exploit. On the other hand, when a new user comes along, there needs to

be a specific process to request only the permissions they need, and have that listverified before access is granted.Access AggregationUsers gain new permissions, whether its on a per-project basis, moving fromdepartment to department, or a promotion. While not a bad thing in principle, thiscould potentially grant them more access than is intended. When in this type ofsituation, looking at the big picture is important. While being granted small permissionsin each group they are a member of doesn't seem like a big thing, they can add up veryquickly.Device and Facility SecurityA typical user's home is not left unlocked when they are not there to protect it, likewisewith a running vehicle or other important objects. With this in mind, it is vital to makethem understand that leaving a computer logged in, unlocked and unattended isdangerous in the same way that leaving the front door of the office with no one payingattention is dangerous. Anyone could come by and do all sorts of 'very bad things', andthe user would be t

The CISSP 2015 Update brings new viewpoints on the key domains covered in this certification. The CISSP is already one of the broadest of all certs in that the amount of information it covers in different fields is staggering. However, breaking this down into its component domains or fields